News

CISA Outlines Cybersecurity Goals in 3-Year Plan

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) described a "Strategic Plan" for cybersecurity over the next three years, per a Friday announcement.

The plan stressed collaboration, and included steps for industry to implement. CISA typically advises federal government agencies, but the plan was directed toward organizations more generally. Much of the plan focused on what "technology providers" should do to improve security.

The implications for technology providers are most clearly expressed in the document's "Goal 3" section. Here, CISA reiterated its general exhortations that technology products need to be secure upon product release.

As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users. Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.

Technology providers need to "build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency when known weaknesses are present in software, hardware, systems, and supply chains," the document added.

Goals for Technology Providers
CISA's document appears to lay out as steps for software and device makers to implement in its "Goal 3" section.

Per a "measurement of effectiveness" segment (p. 21), CISA wants technology providers to:

  • Publish "detailed threat models" showing where product protections are needed.
  • Attest that they are meeting the controls specified in NIST's Secure Software Development Framework (SSDF).
  • Publicize that their product's common vulnerabilities and exposures (CVEs) "entries are correct and complete."
  • Publish "secure-by-design" roadmaps, "including how the provider is making changes to their software development processes, measuring defect rates, and setting goals for improvement, and transitioning to memory-safe programming languages."
  • Publish "security-relevant statistics and trends, such as MFA [multifactor authentication] adoption, use of unsafe legacy protocols, and the percentage of customers using unsupported product versions."

Voluntary Reporting, for Now
CISA's "Strategic Plan" document stressed "shared efforts" toward shoring up cybersecurity. CISA wants technology providers to publish security-relevant statistics so that it can take a "data-driven approach" toward identifying practices that are subject to attacks.

However, CISA also added that it will "take steps to advance transparency, including through adoption of Software Bills of Materials and rigorous vulnerability disclosure practices."

One effort to advance transparency is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed last year by the Biden administration, per this CISA document. It currently encourages voluntary reporting by organizations about cybersecurity incidents, but it will be "supplemented by mandatory reporting" in future years. The mandatory reporting will take effect when a Final Rule is implemented. The timing for that implementation is vague as CISA must first issue a Notice of Proposed Rulemaking, according to the document.

CISA isn't planning to supplant or duplicate commercial cybersecurity capabilities, but it will provide capabilities for federal civilian executive branch agencies and resource-poor targeted organizations. It plans to assess cybersecurity generally using "commercial Attack Surface Management and similar capabilities."

CISA added that "only when no viable capabilities exist in the commercial market will we consider developing an in-house capability."

Top Vulnerabilities
Also this week, CISA announced publication of the "2022 Top Routinely Exploited Vulnerabilities," in conjunction with other international cybersecurity agencies. This publication has recommendations for "vendors, designers, developers, and end-user organizations" to implement, including SSDF and secure-by-design principles.

CISA's top 2022 list was based on the CVEs that were "routinely and frequently exploited by malicious cyber actors in 2022." It included vulnerabilities found in software by Fortinet, Microsoft, Zoho, Atlassian, VMware, F5 and more.

However, Microsoft appeared to be the vendor that was most frequently found to have its software vulnerabilities exploited in 2022, per CISA's list.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • SharePoint Embedded Becomes Generally Available

    After a six-month preview, SharePoint Embedded, an API-based version of SharePoint that developers and ISVs can use to embed Microsoft 365 capabilities into their apps, is now generally available.

  • Copilot in Microsoft 365 Getting Agents, Extensions and Team (Not Teams) Support

    Microsoft is adding more functionality to its Copilot AI assistant aimed at improving business collaboration, processes and workflows for Microsoft 365 users.

  • Microsoft Giving Startups Templates To Build AI Apps

    A new perk for businesses enrolled in the Microsoft for Startups Founders Hub program aims to fast-track their ability to build AI-powered applications.